• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 181
  • Last Modified:

I found a file that is some sort of virus that I can't remove

I am dealing with a dll file called ndhygv.dll on a windows xp home edition PC.  I can't remove the dll.

I found it in the registry, delete the key and it puts it back by itself.

I delete it from startup using msconfig and close and don't reboot to get out of msconfig.  Then I run msconfig again and look at startup.  It is there again.  The virus? is putting it back in for me.  In safe mode, I can't delete the file either.

Any ideas.  <removed by modulo>

I would greatly appreciate any assistance.

Tim Chapman
0
TimChapman
Asked:
TimChapman
  • 11
  • 5
  • 3
  • +2
1 Solution
 
sunray_2003Commented:
TimChapman,
> I delete it from startup using msconfig

Did you mean disable it ?  

go to startup tab in msconfig and disable all applications. reboot the machine and check if it would appear. If it doesnot appear then enable the applications one by one and check which application might cause that ..

#Sun
0
 
TimChapmanAuthor Commented:
I did go to the startup tab and disable each application other than the norton applications.  I also tried unchecking the button that says Load Startup Items.  I would then exit msconfig without rebooting.  I would then immediately open it again.  The Load Startup Items button would be checked and the item would be checked in the Startup list.  The virus? is doing this itself.  Same when I would remove it from the registry.  It would put itself back.  This is a very difficult problem to solve because Safe mode did not help either.  Same results there.  It loads in safe mode.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
sunray_2003Commented:
TimChapman,
>  I would then exit msconfig without rebooting.  

As I had previously said , after doing that in msconfig reboot the machine and see what happens.

have you used the spyware removal tools and checked for virus ?

Post back doing all these
0
 
sunray_2003Commented:
TimChapman,

Also try this

First make a backup of your registry

then go to registry and search for that name that you see in that folder in desktop
if you are not familiar with it , delete it

For searching first press ctrl + F. after it reports the first search , press F3 and search again and keep doing until you find all references to it

Post back
0
 
sunray_2003Commented:
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;322756
0
 
TimChapmanAuthor Commented:
After disabling all applications in MSconfig and rebooting, I ran msconfig again.  The entry was still there and the startup items were enabled.  Having disabled them before shutdown, it seems that the virus? is reenabling the startup items.

> in that folder in desktop

What folder are you referring to?
0
 
sunray_2003Commented:
oh i meant this ndhygv.dll

search for this name in registry and remove it if you are not sure what is it ..
i donot see any reference to this dll in google so you can remove it

msconfig checks these in registry


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

go to registry , check these and remove anything that you are not sure of
0
 
TimChapmanAuthor Commented:
I removed all entries with ndhygv.dll.  Before I could even close regedit, they were back again.  This is very insidious.   The run and runonce keys, I checked and deleted all I did not recognize, but it did no good as these entries would return by themselves.  There is not point in deleting more entries as the changes won't take effect until I reboot and the dll is run again.  The needs tougher measures and I don't know where to begin.
0
 
sunray_2003Commented:
Also try doing these

a) remove temporary internet files , cookies and history going to Internet explorer ---> tools ---> Internet options

b) goto start --> run --> %temp%
remove all the files there . DONOT REMOVE THE TEMP FOLDER.just remove the files inside

c) Also do disk cleanup
0
 
sunray_2003Commented:
TimChapman,

have you tried all the spyware tools and virus yet ? try them and post back..

check your control panel --> add/remove programs of any unknown program. If you have uninstall them

Also use these registry cleaners

jv16 http://download.com.com/3000-2094-10196668.html?tag=lst-0-1 (FREEWARE)
RegCleaner http://www.vtoy.fi/jv16/shtml/regcleaner.shtml
AATools RegClean http://www.glocksoft.com/aatools_registry_cleaner.htm
Registry Medic  http://www.iomatic.com/products/product.asp?ProductID=registrymedic
RegVac  http://regvac.com/fregvac.htm#download
0
 
TimChapmanAuthor Commented:
I tried deleting temporary internet files.  Some won't delete.

I did not run %temp%.   Please tell me what that should do.  I have never seen that before.

The computer hangs when I try to do a disk cleanup.
0
 
sunray_2003Commented:
TimChapman,
> I tried deleting temporary internet files.  Some won't delete.

what do you mean by this ?

go to start --> run and typein " %temp% "  (without quotes)
it will open the temporary folder where all temp files are stored in your machine
remove all those files ..


Not sure why diskcleanup would hang your machine.. Wait for sometime when you do diskcleanup as there would be many unwanted files to cleanup

restart the machine after doing all these
0
 
sunray_2003Commented:
what is the status ?

have you tried all spyware tools , virus scanners etc

remove all those temp files ..

post back
0
 
TimChapmanAuthor Commented:
I have to wait to do those.  The computer is at a client's location.  He may not want to pay me the hours needed to continue.  I emailed him to ask him to let me have the computer at my site so I can work on it without charging him.  I would like to get to the bottom of this virus (?).  I was very suprised to find nothing about it when I searched google.  Looks like something new.  

I don't understand the Experts Exchange regarding the Accept button.  When I accept a reply, does that mean the sender gets the 500 points?

Thanks for your effort on this.  I will try to see this to completion so the points can be given and so that the problem can be solved and the information shared.

Tim
0
 
sunray_2003Commented:
looks like it is a new virus or trojan or spyware

This is how it works

u assign 500 pts or how  much ever you can depending on the question
once u click accept , u will be taken to a page where u need to give the grade.
depending on the grade, the expert wud get pts

say if you give A grade, expert would get 500 * 4 = 2k pts
if B grade , 500 * 3
if C grade , 500 * 2

Hope you understand
0
 
trywaredkCommented:
Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
trywaredkCommented:
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp - hi9
0
 
trywaredkCommented:
This is how to find ndhygv.dll and stop it.

1. Start / Run / regedit
2. ENTER
3. CTRL-B
4. ndhygv.dll
5. ENTER
6. If you find it in HKCR/CLSID/{xxxx-xxxx-xxxx}/InprocServer32 then identify all the {yyyy-yyyy-yyyy} in the regkey like HKCR/CLSID/{xxxx-xxxx-xxxx}/Implemented Categories/{yyyy-yyyy-yyyy}
7. If you can find the same {yyyy-yyyy-yyyy} in HKLM/Software/Microsoft/Internet Explorer/ActiveX Compatibility/ then set a kill bit according to:

How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;240797&sd=tech
0
 
barcelona_blomCommented:
Tim Chapman

Use this command to unregister the dll file then delete it,
Change the path to wherever the dll resides.

RegSvr.Exe /u \windows\[controlname]       click start then run and enter the command.

Then delete the registry entries for the file.

0
 
nader alkahtaniNetwork EngineerCommented:
regsvr32 /u %systemroot%\system32\ndhygv.dll

ENTER

regsvr32 /u %systemroot%\system\ndhygv.dll

ENTER

good luck
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 11
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now